On Demand Assessments for Unified Support Customers – A SCOM Example with gMSA

SCOM On-Demand Assessment Dashboard

What is Services Hub?

For those folks with a Unified support contract, you likely know about Services Hub.
If you don’t know: Services Hub is a website that gives Microsoft customers visibility into their Microsoft products and services, provides customized training and support resources, and solution monitoring to help prevent and resolve issues faster. For more information, see https://serviceshub.microsoft.com/about/

On-Demand Assessments

Included with Services Hub are the virtual buffet of On Demand assessments. On-Demand Assessments provide on-going analysis of your critical workloads, and predicts and prescribes helpful next steps to improve and optimize the health of your Microsoft IT environment. The Getting Started with On-Demand Assessments document details the key benefits and features of On-Demand Assessments in the Services Hub. The assessments are free; “all you can eat”. You need only have an Azure subscription with a Log Analytics workspace.

I recently set up the assessment for Operations Manager (SCOM) in my lab. There was a decent learning curve as the current configuration docs (as of 10/2022) are a little bit out of date; something I brought to the attention of the folks who own the content. The owners are currently working on the updates but until then, here are my notes.

The assessments are free; “all you can eat”. You need only have an Azure subscription with a Log Analytics workspace.

This won’t be a highly detailed walk through but rather something that more closely resembles breadcrumbs from my journey with plenty of pictures.

Services Hub Login


Enter the On-Demand Assessments area.

If your account is not already attached to a Log Analytics workspace, you will be prompted to do so. In my case I was able to select from my existing Azure subscription.

I selected an existing LA Workspace. You may create a new workspace if you so choose.

I selected the SCOM ODA.

There are a couple of options when it comes to how you want to configure the ODA. In my case, I had an existing SCOM 2022 management group. You could use the Operations Manager Console to connect to an existing LA Workspace but in my case, I wanted to simulate my customer’s environment. I chose to configure a single Collection server on my first management server, MS21. The collection server uses an LA proxy server “Gateway”: SQLRPT21.

The option exists to connect the SCOM mgmt group directly to LA (shown directly below). I did not use this method.

In the Azure Portal LA Workspace you will find the assessment configuration area. There are two scenarios described. Scenario one is best suited for my customer.

In the LAW -> Agents Management blade is where you can download the Agent and the Gateway. In my case I only needed the Gateway component because my SCOM mgmt server (MS21) already contains an agent. Additionally you will find your Workspace ID and Keys.

I installed the Gateway bits on the proxy server: SQLRPT21, and set the proxy port to: 8080.
I configured the ALA tab on the Gateway proxy server as shown below:
(Use your own Key)


On the Collection server (MS21) I configured the Proxy Settings tab as shown so the Collection server will connect to the Proxy/Gateway at the address/port shown. However, the ALA ID and Key are still required on the Collection server even though the same ID/Key are already configured on the Gateway.


On my Collection server I added the Workspace ID and the primary key to the Azure Log Analytics tab of the Microsoft Monitoring Agent applet found in the Control Panel.
(Use your own Key)


In my case, I received some errors on my Gateway server.

After some brief research I discovered that I needed to allow the Gateway to contact the workspace URL (shown in the error Description) with the following PowerShell command:

Add-OMSGatewayAllowedHost -Host 11ba31d4-529d-4acc-8dd0-XXXXXXXXXXXX.ods.opinsights.azure.com -Force

Restart-Service OMSGatewayService

Both your Gateway and Collection server should show a successful connection status. Otherwise, check your firewall settings and/or look for clues in your Collection/Gateway event logs.

Group Managed Service Account (gMSA) Creation

The ODA runs based on a scheduled task that gets created with the special PowerShell cmdlet. Before the task can be scheduled, you need an appropriate service account. I use gMSA accounts in my 2022 lab.
This is how I created a gMSA account for the ODA Collection server scheduled task. I ran the following snippet on my domain controller.

$accountName = 'gMSA-OMODA' #new gMSA Service Account name
$CollectionServerName = 'MS21' #Name of server where the account will be used/retrieved
$PrincipalsAllowedToRetrieveManagedPassword = (Get-ADComputer $CollectionServerName) #retrieve designated server principal object(s) from AD

$params = @{
    Name = $accountName
    DNSHostName = "$($accountName).CONTOSO.COM"
    PrincipalsAllowedToRetrieveManagedPassword = $PrincipalsAllowedToRetrieveManagedPassword
    ManagedPasswordIntervalInDays  = 180
    KerberosEncryptionType = 'AES128','AES256'
    Enabled = $True        
    PassThru = $True
New-ADServiceAccount @params

#Verify account
Get-ADServiceAccount -Identity $accountName -Properties *

You must “install” the gMSA account on the Collection computer so that it can retrieve the account password from AD. This will require the ActiveDirectory PowerShell module. Run the following snippet from your Collection server.

# You must "install" the gMSA account on the Collection computer so that it can retrieve the account password from AD. This will require the ActiveDirectory PowerShell module. 

# This is how you can install the AD tools locally.
Add-WindowsFeature -Name 'RSAT-AD-Tools' -Verbose

# You must run this command on your Collection server to install the gMSA account.
Install-ADServiceAccount $accountName -Verbose

# Optionally you can test the account from the Collection server to verify that you have configured it and installed it to the Collection server correctly. This command should return boolean "True".
Test-ADServiceAccount -Identity $accountName

I allowed the new service account to to Log on as a batch job on the Collection server:

I added the service account to my SCOMAdmins security group (member of Operations Manager Administrators user role).

The service account is also a local administrator on all SCOM SQL servers (OperationsManager, DataWarehouse, Reporting SQL instance/cluster servers)

The service account has SysAdmin role on all relevant SCOM SQL server instances.

Create the ODA Scheduled Task with PowerShell

Note: At the time of this writing the “Add-SCOMAssessmentTask” cmdlet appears to be unfinished. It contains a parameter “-RunWithManagedServiceAccount ” that is basically disabled/crippled. I assume that this cmdlet will get fully baked at some point in the future. Until then…

Good news though, this author was able to find a workaround. The snippet below will create the Assessment task with a temporary account, then update the account with the designated gMSA account. The temporary account must have “Log on as a batch job” permissions. I used my own account (a Local Administrator). This will achieve the desired outcome. It is assumed that this script will be run on the Collection server. (my SCOM mgmt server (MS21) in this example)

# ----- Set these variables as needed ----------
$TempAccount = 'tpaul' #required only to create the task.
$gMSA = 'contoso\gMSA-OMODA$'
$WorkingDirectory = 'C:\ODA'
$ServerName = "$($env:COMPUTERNAME).$($env:USERDNSDOMAIN)" #this server FQDN

New-Item -Path $WorkingDirectory -ItemType Directory -ErrorAction SilentlyContinue | Out-Null # Silently create directory if it does not exist
Add-SCOMAssessmentTask -ScheduledTaskUsername $TempAccount -ServerName $ServerName -WorkingDirectory $WorkingDirectory
$Task1 = Get-ScheduledTask -TaskName "*SCOMAssessment*" | Sort-Object -Descending | Select-Object -First 1
$Principal = New-ScheduledTaskPrincipal -UserID $gMSA -LogonType Password
Set-ScheduledTask -TaskName $Task1.TaskName -TaskPath $task1.TaskPath -Principal $Principal

Note: in the code screenshot below the working directory is named, “OMS Gateway” but it is not a gateway, but rather a Collection server. Ignore the poorly named folder path. A better path would have been: “C:\ODA”.

Wait a Week

The assessment is scheduled to run once per week. Initially the Discovery dial populated but the rest of the categories remained vacant. It took about a week for data to appear in the other categories.

Leave a Reply

Your email address will not be published. Required fields are marked *